1. Greenhouse Support
  2. All Recruiting topics
  3. Security
  4. Audit log

Understand audit log data

Permissions:

Product tier: Available to Expert subscription tier with audit log add-on

Audit log offers a record of important events in your Greenhouse Recruiting environment from the previous 30 days. You can access audit log with Business Intelligence Connector or Greenhouse API.

In this article

Audit log payload

Audit log results contain the following attributes in API and columns in Business Intelligence Connector:

request_id The ID of the request, which can be used to link an event and its resulting changes across multiple audit log results
request_type The type of request
performer_meta The name and Greenhouse Recruiting email address of the person who performed the change, or the exact type of API key that performed the event
performer_id

The Greenhouse Recruiting user ID of the person who performed the change, or the API key name if performed via Greenhouse API
performer_ip_address The IP address of the person or integration that performed the event
performer_type

One of the following values: user, api_key, greenhouse_internal
organization_id Your organization's unique Greenhouse Recruiting ID
event_meta The before and after values from data change events, or other relevant data for the event such as the title of a report
event_target_type

The type of event that occurred, as defined in the audit log event glossary
event_type

The exact cause of the event, as one of the following values: data_change_update, data_change_create, data_change_destroy, harvest_access, action
event_target_id The ID of the element that was created, edited or accessed; this may be blank if the action does not target one particular ID
event_time

The exact time the event occurred, represented in ISO-8601 format, like 2023-05-03T16:38:46.985Z

Note: A single event in Greenhouse Recruiting, like "Single Sign-On Changed," may return multiple audit log results. Link an event and its subsequent changes with by request_id  to dig further into an event. Linked results may include event details, or before and after values, in the event_meta attributes.

How to use audit log successfully

Audit log returns a rolling record of data changes and updates. Major events are defined in the audit log glossary. To dig further into an event, query by its request_id to find related changes in audit log.

An infographic says Guidance - A single event in audit log can be composed of multiple logs linked by request ID - then shows an infograph of a request_id block leading to multiple 'action' and 'create' logs in audit log. It says, query by request_id to find related from an event. It says, action logs are defined in audit log glossary

Whether you use audit log for a rolling record of historical changes or to target alerts to sensitive events, the basics will be the same:

  • event_target_type: Use this attribute for isolating certain types of events and sensitive changes. Check out the audit log glossary for a definition of events like 'Job Info Changed':
select * from audit_log where event_target_type = 'Job Info Changed'
  • request_id: If you want to investigate an event further, use the event's request_id to find linked audit log entries containing event details:
select * from audit_log where request_id = 'bbe330197ea'
  • event_meta: Audit log results sharing a common request_id may include event meta as before and after values or other important details about the event. Check out the example queries below.
  • event_time: Use the linked entries and the corresponding event times to produce a timeline of events.
  • performer_id: Examine which Greenhouse Recruiting user or integration performed the event.

Example queries

You can use attributes in API and columns in Business Intelligence Connector as query parameters, combined with the audit log glossary, to isolate impactful events in audit log.

 

Business Intelligence Connector

Query for information on impactful events using Business Intelligence Connector.

Query

select * from audit_log where event_target_type = 'Single Sign-On Changed'

 

Return

organization_id event_time request_id request_type performer_id performer_type performer_meta performer_ip_address event_type event_target_id event_target_type event_meta
400123123 2023-06-29 14:15:00.306 8df9ae5a17e522b8
developer/sso/saml_configs#update
 5407147002 user {"name"=>"Katy Glaude", "username"=>"katy.g@ymail.com"} 123.123.123.123 action [NULL] Single Sign-On Changed  

Use an event's request_id to find linked audit log entries containing event details in event_meta as before and after values or other important details about the event.

Query

select * from audit_log where request_id = '8df9ae5a17e522b8'

 

Return

organization_id event_time request_id request_type performer_id performer_type performer_meta performer_ip_address event_type event_target_id event_target_type event_meta
400123123 2023-06-29 14:15:00.306 8df9ae5a17e522b8
developer/sso/saml_configs#update
 5407147002 user {"name"=>"Katy Glaude", "username"=>"katy.g@ymail.com"} 123.123.123.123 action [NULL] Single Sign-On Changed  
400123123 2023-06-29 14:15:00.706 8df9ae5a17e522b8
developer/sso/saml_configs#update
 5407147002 user {"name"=>"Katy Glaude", "username"=>"katy.g@ymail.com"} 123.123.123.123 data_change_update 4000562002 SamlConfig {"idp_cert_fingerprint"=>["", "geI4003kEMo03p2mL0"], "idp_slo_target_url"=>["", "www"], "name_identifier_format"=>["", "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"], "sso_enabled_status"=>["disabled", "soft_enabled"], "idp_sso_target_url"=>["", "com"

Use any other columns to query as needed.

Query

select * from audit_log where event_target_type = 'PII Page Accessed' and event_time between '2023-06-29 00:00:00.000' and '2023-06-30 23:59:00.0' and performer_id = '5407147002'

 

Return

organization_id event_time request_id request_type performer_id performer_type performer_meta performer_ip_address event_type event_target_id event_target_type event_meta
400123123 2023-06-30 15:27:07.334 b9e934e07034476 hiring_plans#setup 5407147002 user {"name"=>"Katy Glaude", "username"=>"katy.g@ymail.com"} 123.123.123.123 action [NULL] PII Page Accessed  

 

Audit log API

Use audit log API to request specific events for rolling alerts in security monitoring.

Request

GET https://auditlog.us.greenhouse.io/events?event_target_types=Delete Candidate,Delete Application,Single Sign-On Changed

 

Return

{
"results": [
        {
            "request": {
                "id": "8df9ae5a17e522b8",
                "type": "developer/sso/saml_configs#update"
            },
            "performer": {
                "meta": {
                    "name": "Katy Glaude",
                    "username": "katy.g@ymail.com"
                },
                "id": 5407147002,
                "ip_address": "123.123.123.123",
                "type": "user"
            },
            "organization_id": 4002999002,
            "event": {
                "meta": null,
                "target_type": "Single Sign-On Changed",
                "type": "action"
            },
            "event_time": "2023-07-21T18:21:23.607Z"
        }
    ]
}

Note: Returns have been truncated for presentation.

Check out audit log use cases for more example queries.

Learn more

Audit log use cases

Audit log glossary

Audit log FAQ